Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Legitimate Monitoring Software


  • Please log in to reply
5 replies to this topic

#1 quizzor

quizzor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 25 September 2009 - 09:13 PM

I have good reason to believe my roommate has put some kind of keylogging/parental/sysadmin computer monitoring software on my computer. To make a long story short:
-I'm certain it's installed on the machine, not remote.
-There things are not "malware" according to most antivirus/spyware software and are not picked up.
-They won't show up under active processes and can even hide their files and processes from specified users.
-They pretty good at being invisible (and collecting blackmail that can actually be useful for extortion) unlike normal infections.
-They generally consist of keylogging, screen captures, website recording, etc etc the works.

Generic programs like Avast and COMODO scans aren't finding anything. Downloading MBAM now, I'll try that. I was looking for some kind of keylogger detector but all I could find are some really shady programs. I did come across several tools claiming to be specifically for finding this kind of software, but they were all shady too.

Am I just going to have to google for "parental monitoring software" and then manually look up manual detection and removal processes for all thirty something existing products?

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:52 AM

Posted 25 September 2009 - 11:21 PM

Hello quizzor and :thumbsup: to BleepingComputer.

Let's see if we can find anything hiding on your system.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 quizzor

quizzor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 26 September 2009 - 04:20 PM

Did the scan late last night, bleh. I'd be insulted by the idiot proof nature of your help if it weren't for the fact that I needed that, being half asleep. :thumbsup: Hopefully I set up that scan right. I don't see anything that might be it, but then again I have no idea what I'm looking for. He may not have installed any monitoring software at all, (but I did catch him looking into it after he threatened to blackmail me). Cheap S.O.B. probably wouldn't pay for a commercial solution anyway.

Thanks for helping look into it anyway.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/02 23:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5AF7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A13000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP9850
Image Path: \Driver\PCI_PNP9850
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9DF0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spsp.sys
Image Path: spsp.sys
Address: 0xF82B3000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: c:\documents and settings\will\local settings\temp\etilqs_dcejycsppn16tj3zcv3w
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Uninstall.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Uninstall.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Uninstall.exe1
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Uninstall.exe1.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp124078360.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp124078360.tmp.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp189587973.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp189587973.tmp.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp20002197.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp20002197.tmp.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp252409988.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp252409988.tmp.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp254971363.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\unp254971363.tmp.info
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\nate\Local Settings\Apps\2.0\VVJVRG30.G65\9GLZH2YB.LZ6\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\nate\Local Settings\Apps\2.0\VVJVRG30.G65\9GLZH2YB.LZ6\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\DellDriverDownloadManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\DellDriverDownloadManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\DellDriverDownloadManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\DellDriverDownloadManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\stdole.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\stdole.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Xceed.Compression.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Xceed.Compression.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\will\Local Settings\Apps\2.0\KN6PPTMM.1Z9\BJ90P6T5.7J1\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5e5af4a

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5bde6b8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf5e5a454

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x829891f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x826a41f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x82675500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8271f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8298c1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x827dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x827dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x827dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x827dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x827dd1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x827dd1f8 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_CREATE]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_CLOSE]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_POWER]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: ambvnksl???ćimapi.sys?0, IRP_MJ_PNP]
Process: System Address: 0x826a3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x827081f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82666500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_CREATE]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_CLOSE]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_READ]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_CLEANUP]
Process: System Address: 0x8264d500 Size: 121

Object: Hidden Code [Driver: Cdfs?????????, IRP_MJ_PNP]
Process: System Address: 0x8264d500 Size: 121

Shadow SSDT
-------------------
#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf5e5e28a

==EOF==

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:52 AM

Posted 26 September 2009 - 04:42 PM

Do you have DaemonTools and/or Alcohol installed on this machine?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 quizzor

quizzor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 27 September 2009 - 01:13 AM

Daemon Tools is installed, yeah.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:52 AM

Posted 27 September 2009 - 01:21 PM

okay. . . next scan.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users